Collect, Exfiltrate, Sleep, Repeat

This DFIR report details an August 2022 intrusion initiated by a malicious Word document (`Apply_Form.docm`) that executed VBA macros to drop `Updater.vbs`, `Script.ps1`, and `temp.ps1`, register scheduled tasks for persistence, and run a PowerShell implant which communicated with C2 servers (notably `45.89.125.189`) using AES-CBC; operators performed discovery, deployed an AutoHotkey-based keylogger (`module.exe` + `module.ahk` + `readKey.ps1`), compressed and exfiltrated collected data, and the activity is attributed to the Iranian OilRig (TA452) with accompanying IOCs, file hashes, Sigma and Yara rules included.